On September 13, 2016, the New York State Department of Financial Services (NYDFS) announced proposed cyber security regulations to protect consumer data and financial systems from the ever-growing threat of cyberattacks.
The proposed regulations will require banks, insurance companies, and other financial institutions regulated by the NYDFS to:
- Establish a cyber security program that includes “identifying the nonpublic information stored on the covered entity’s information systems, the sensitivity of such nonpublic information, and who and by whom such Nonpublic Information may be accessed.”
- Appoint a Chief Information Security Officer (CISO) responsible for preparing a cyber security report, at least bi-annually, and present this report to the financial institution’s Board of Directors. The report must also be available to the NYDFS upon request.
- Regularly test cyber security systems including annual penetration testing and quarterly vulnerability assessments of information systems.
- Monitor and limit user access by tracking and maintaining logs of all privileged and authorized user access to critical systems and limiting access to nonpublic information “solely to those individuals who need access to such systems to perform their responsibilities.”
- Notify NYDFS of any material data breaches within 72-hours of the security event.
- Submit annual certification from the Board of Directors that their financial institution is in compliance with the cyber security
The proposed regulation, which is based on surveys, reports and investigations conducted by NYDFS since 2013, is subject to a 45-day notice and public comment period before final adoption. The proposal, unless modified, would become effective on January 1, 2017, with a 180-day grace period for compliance.
Biggest impact on smaller, regional financial institutions
NYDFS regulates state-chartered and foreign banks licensed to operate in the state, including Barclays, Goldman Sachs Group, and China Construction Bank. The planned cyber security regulations will no doubt increase compliance requirements across all regulated financial entities. However, smaller financial firms will be most impacted.
Large banks and insurance companies have invested in well-developed cyber security programs. They often have higher security budgets and a deep bench of IT security personnel. Case in point: Earlier this year, Forbes reported that J.P. Morgan Chase is spending a half-billion dollars on cyber security this year.
Unlike the large financial institutions, smaller financial firms may not have built robust cyber security programs. These small banks, credit unions, insurers, and investment firms may need to advance their cyber security programs up to meet the minimum standards outlined in the proposed cyber security legislation.
Cybersecurity also top of mind for federal regulators
While New York state is the first state regulator to issue cyber security guidelines, they are not alone in focusing on cyber security in the financial services industry. Federal financial regulators in the U.S. have spent the last few years stepping up attention on and examination of cyber security. Both the Securities and Exchange Commission (SEC) and the Federal Financial Institutions Examination Council (FFIEC) have made cyber security an examination priority.
Last year, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced a Cybersecurity Examination Initiative and issued cyber security guidelines for brokers-dealers and investment advisors. More notably, the SEC is flexing is regulatory muscle. In September 2015, it settled cyber security charges against an investment advisor, and in June 2016, it fined J.P. Morgan Chase $1M for failing to safeguard customer data. Cybersecurity continues to be an examination priority for 2016.
Imperva helps financial institutions comply with multiple regulations
In today’s heightened regulatory environment, it’s no wonder that bank CISOs are stepping up their cyber security spending. According to American Banker, the top driver for security spending is regulators’ concerns, and data security is a top priority.
Imperva delivers industry-leading data security solutions that address key regulations impacting financial institutions. Leading banks, investment firms and insurers rely on our data security solutions to audit all access to sensitive data, monitor privileged users, identify insider threats, and simplify compliance reporting.
To learn more about how Imperva helps financial institutions protect data and comply with industry regulations, download the Cyber Security and Compliance Guide for Financial Services ebook.